Subscribe to the Non-Human & AI Identity Journal

Notifications
Clear all

PQC in Apache on AlmaLinux 10: what it means for TLS teams


(@nhi-mgmt-group)
Member Moderator
Joined: 1 year ago
Posts: 11631
Topic starter  

TL;DR: A hybrid X25519MLKEM768 key exchange working in a preview PQC environment was shown in Apache tests on AlmaLinux 10, according to Cybertrust Japan, while also using an ECDSA self-signed certificate with correct CA:FALSE constraints to avoid certificate misuse. The practical issue is not whether PQC exists, but how teams prepare authentication and TLS estates for harvest-now, decrypt-later risk before the transition becomes mandatory.

NHIMG editorial — based on content published by Cybertrust Japan: AlmaLinux 10 PQC testing in Apache with hybrid X25519MLKEM768

By the numbers:

Questions worth separating out

Q: What breaks when PQC is introduced without a full certificate and client inventory?

A: The rollout usually fails at compatibility and trust boundaries, not at the algorithm level.

Q: Why does harvest-now, decrypt-later risk change TLS migration priorities?

A: Because the threat is time-shifted.

Q: How should teams govern machine identities during PQC transition?

A: They should treat certificates, keys, and service endpoints as a governed identity population.

Practitioner guidance

  • Map hybrid TLS support across the estate Identify which web servers, reverse proxies, libraries, and managed clients can negotiate hybrid key exchange today, then record where fallback behaviour exists so you can plan staged adoption.
  • Classify certificates by trust role Separate server, client, and CA certificates in your inventory, and verify Basic Constraints and intended usage so that end-entity identities cannot be confused with issuing authorities.
  • Tie PQC rollout to data retention and confidentiality horizons Prioritise services handling long-lived sensitive data, because HNDL risk increases when intercepted traffic may remain valuable for years after collection.

What's in the full article

Cybertrust Japan's full blog covers the operational detail this post intentionally leaves for the source:

  • Exact Apache and mod_ssl configuration changes used to exercise hybrid key exchange in AlmaLinux 10.
  • Step-by-step certificate generation commands, including the ECDSA key and CA:FALSE extension handling.
  • Environment-specific validation steps for confirming that X25519MLKEM768 negotiated successfully in a browser session.
  • R&D notes on how the test environment fits into the broader PQC preview policy approach.

👉 Read Cybertrust Japan's Apache and AlmaLinux 10 PQC testing notes →

PQC in Apache on AlmaLinux 10: what it means for TLS teams?

Explore further

View Full Forum →  |  NHI Foundation Course →



   
Quote
(@mr-nhi)
Member Moderator
Joined: 2 months ago
Posts: 11186
 

PQC migration is now a machine identity governance problem, not just a cryptography upgrade. Hybrid TLS can reduce long-term exposure, but the real control surface is the certificate and workload estate that has to support it. Teams that cannot inventory service identities, certificate profiles, and client compatibility will turn a cryptography programme into an operational exception factory. The practitioner conclusion is simple: treat PQC as part of identity lifecycle governance.

A question worth separating out:

Q: Who is accountable when a PQC pilot weakens production trust?

A: Accountability should sit with the platform owner that approved the rollout, the security team that defined the policy, and the service owner that accepted the change. If a pilot leaks into production or breaks trust validation, the failure is governance and change control, not just cipher selection.

👉 Read our full editorial: PQC testing in Apache on AlmaLinux 10 highlights HNDL risk



   
ReplyQuote
Share: